but in webapps it's usual to send passwords to an user in case he forgets it.
Absolutely not! In a well-engineered (from a security point of view) web app, a password is
never sent to the user. Unfortunately, it is common that cleartext passwords are stored, but it is not necessary. If a user forgets a password, it should be considered comprised, and the user should pick a new one. This can happen through a link that was sent by email to an address associated with a username the user entered before - not to an address the user can enter just then!